Since October, researchers have noticed a new type of spyware that especially targets Android smartphones and impersonates banking apps from a number of major, well-respected financial institutions.

ThreatFabric researchers reported, on January 5, seeing a significant spike in samples from the SpyNote malware family in October. They pointed out that the malware, also known as SpyMax, has the ability to remote access, manage, and modify device features and resources.

The SpyNote.C variant has been impersonating financial institutions notably HSBC, Deutsche Bank, Kotak Bank, and BurlaNubank. However, the spyware went beyond just impersonating banking apps to also impersonate generic apps like productivity and gaming apps, as well as other common and widely used apps such as WhatsApp, Facebook, and Google Play.

The SpyNote.C variant, according to ThreatFabric researchers, was sold as "CypherRat" between August 2021 and October 2022, when the source code was made publicly available through GitHub and its use started to become more noticeable.

SpyNote.C is capable of stealing and using personally identifying information from online banking users, as well as tracking SMS messages, calls, videos, and audio recordings. It can retrieve two-factor authentication codes, lift passwords from social networking applications including Facebook and Gmail, and even extract passwords from other websites.

The researchers claim that by utilizing Android's Accessibility Services, SpyNote.C makes it challenging to remove and enables the virus to install updated versions of both itself and other applications without user interaction.

ThreatFabric researchers concluded that the spyware could alter the way information gets stolen, increasing the scope of the purpose behind tech infiltrations. According to the researchers, “the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and Banking malware, due to the power that the abuse of Accessibility services gives to criminals.”

Read more: Israeli Predator-maker Intellexa in Athens raided after sales ban